Late post this week – I spent the weekend on the 3 Day Breast Cancer Walk – yes my legs are sore, but I am proud to have raised $ for the cause.
I want to throw this out: that GRC itself is going through a maturing process. Let’s call the first ‘ad-hoc’ stage GRC 1.0, and the second, more ‘rationalized’ stage GRC 2.0 and the ‘optimized’ stage we are entering now, GRC 3.0.
When GRC first emerged as a concept in 2002, programs and technologies were quite basic: GRC 1.0. Manual processes supported risk and compliance analysis and reporting. Organizations had mostly weak governance and accountability models and there was minimal adoption of automated monitoring and analysis technology for business of IT.
By about 2008, GRC had matured to a point where many processes were rationalized and partially automated: GRC 2.0. Compliance programs for key regulatory imperatives (SOX, PCI, GLBA) were in place. Basic ‘common systems of record’ and a ‘single version of the truth’ based on surveys had been implemented in many organizations. However, assessments based mostly based on snapshot, conjecture-based surveys are not highly reliable. Risk management is still operating in silos; and for the most part not tied directly to business or regulatory requirement. As a result, minimal reduction of GRC program expenditures have been realized due to programs operating inefficiently in silos.
In 2009, a new era has begun, driven by virtualization and maturing of controls monitoring in both the business processes and the IT infrastructure. It is finally possible to begin the integration of discrete GRC capabilities to provide the synergies GRC promises. This is GRC 3.0 where governance, risk and compliance programs are managed holistically for the extended, virtual enterprise and infrastructure. In this era we will see greater business and IT alignment of policy, compliance and risk appetite. All IT Management processes will be supported: Business Assurance, Policy, Information Lifecycle Management, Backup, Recovery and Archiving, Resource Management, Storage, Change and Configuration and Security Management. GRC analysis will be based on near-real time empirical information, which is highly reliable. Risks will be able to be managed to acceptable levels and organizations are able to capitalize on new opportunities with agility, because risks will be more visible.
I think we are entering this dynamic GRC 3.0 stage now. What's your take? I beleive it is all about the Seeing, Understanding and Believing concepts I covered a few weeks ago. In the upcoming weeks, we can dive more deeply into what the difference really is between GRC 2.0 and GRC 3.0 – this will help us all prepare for the transforming and ride the wave as is comes…..unless of course, you aren't convinced..in whihc case let's hear your thoughts :-)
@Yo
Great post, great blog -- always a good and thoughtful read. Keep up the good work!
-- Chuck
Posted by: Chuck Hollis | 10/13/2009 at 10:59 PM
Great! You clearly segment GRC into 3 and I like the transistions that you eplain. Very thoughtful!
- Sudhir
Posted by: Sudhir Vijendra | 10/14/2009 at 08:31 AM
This is an interesting article and when I read it I immediately had a flashback to 2006 when AMR (John Hagerty) published the GRC Maturity Model that was the starting point for several discussions I had with many customers. I totally agree that GRC has matured and that many customers transitioned from a low level reacting mode (panic mode, get it done, operate in isolation) to a more sophisticated anticipating (acceptance, efficiency, automation) and even collaborating (identify risks, assess exposure, prioritize actions) approach. But as AMR pointed out it is mandatory to take the various industries and geographies into account when talking about maturity. We have seen quicker response to compliance and regulations with companies in financial sectors, because they already are very scrutinized by governments and have to comply with tons of regulations. At the same time we saw US companies working hard on getting a grip on their compliance issues, the Europeans with less pressure on regulations had a need for mature risk related management and solutions. It is also sometimes surprising for me that even though GRC has matured, due to the fact that the surrounding IT environment has advanced so much (see virtualization and cloud computing) many companies feel comfortable to stay in GRC2.0 and do not see the need to spend more money and resources to mature even further.
- Axel
Posted by: Axel Streichardt | 10/18/2009 at 04:45 PM
This is an interesting article and when I read it I immediately had a flashback to 2006 when AMR (John Hagerty) published the GRC Maturity Model that was the starting point for several discussions I had with many customers. I totally agree that GRC has matured and that many customers transitioned from a low level reacting mode (panic mode, get it done, operate in isolation) to a more sophisticated anticipating (acceptance, efficiency, automation) and even collaborating (identify risks, assess exposure, prioritize actions) approach. But as AMR pointed out it is mandatory to take the various industries and geographies into account when talking about maturity. We have seen quicker response to compliance and regulations with companies in financial sectors, because they already are very scrutinized by governments and have to comply with tons of regulations. At the same time we saw US companies working hard on getting a grip on their compliance issues, the Europeans with less pressure on regulations had a need for mature risk related management and solutions. It is also sometimes surprising for me that even though GRC has matured, due to the fact that the surrounding IT environment has advanced so much (see virtualization and cloud computing) many companies feel comfortable to stay in GRC2.0 and do not see the need to spend more money and resources to mature even further.
- Axel
Posted by: www.facebook.com/profile.php?id=1283561097 | 10/18/2009 at 04:48 PM
This is an interesting article and when I read it I immediately had a flashback to 2006 when AMR (John Hagerty) published the GRC Maturity Model that was the starting point for several discussions I had with many customers. I totally agree that GRC has matured and that many customers transitioned from a low level reacting mode (panic mode, get it done, operate in isolation) to a more sophisticated anticipating (acceptance, efficiency, automation) and even collaborating (identify risks, assess exposure, prioritize actions) approach. But as AMR pointed out it is mandatory to take the various industries and geographies into account when talking about maturity. We have seen quicker response to compliance and regulations with companies in financial sectors, because they already are very scrutinized by governments and have to comply with tons of regulations. At the same time we saw US companies working hard on getting a grip on their compliance issues, the Europeans with less pressure on regulations had a need for mature risk related management and solutions. It is also sometimes surprising for me that even though GRC has matured, due to the fact that the surrounding IT environment has advanced so much (see virtualization and cloud computing) many companies feel comfortable to stay in GRC2.0 and do not see the need to spend more money and resources to mature even further.
- Axel
Posted by: www.facebook.com/profile.php?id=1283561097 | 10/18/2009 at 04:50 PM
I think you will see some of your thoughts also proposed in the S.African King 3 report:
http://www.iodsa.co.za/downloads/documents/Draft%20King%20III%20at%20a%20glance.pdf
Posted by: twitter.com/simon_g | 11/03/2009 at 09:21 AM
Certainly great!
Posted by: phoenix web design | 01/21/2011 at 03:27 AM